ulimit和/etc/security/limits.conf详解

ulimit

首先我们看下ulimit这个指令的位置

which ulimit

可以看到没有任何输出,这是因为ulimit是内置指令

man ulimit

ubuntu

ULIMIT(3)                                             Linux Programmer's Manual                                             ULIMIT(3)
  
NAME
       ulimit - get and set user limits

SYNOPSIS
       #include <ulimit.h>

       long ulimit(int cmd, long newlimit);

DESCRIPTION
       Warning:  this  routine is obsolete.  Use getrlimit(2), setrlimit(2), and sysconf(3) instead.  For the shell command ulimit(),
       see bash(1).

       The ulimit() call will get or set some limit for the calling process.  The cmd argument can have one of the following values.

       UL_GETFSIZE
              Return the limit on the size of a file, in units of 512 bytes.

       UL_SETFSIZE
              Set the limit on the size of a file.

       3      (Not implemented for Linux.)  Return the maximum possible address of the data segment.

       4      (Implemented but no symbolic constant provided.)  Return the maximum number of files that the calling process can open.

RETURN VALUE
       On success, ulimit() returns a nonnegative value.  On error, -1 is returned, and errno is set appropriately.

ERRORS
       EPERM  An unprivileged process tried to increase a limit.

ATTRIBUTES
       For an explanation of the terms used in this section, see attributes(7).

       ┌──────────┬───────────────┬─────────┐
       │Interface │ Attribute     │ Value   │
       ├──────────┼───────────────┼─────────┤
       │ulimit()  │ Thread safety │ MT-Safe │
       └──────────┴───────────────┴─────────┘

CONFORMING TO
       SVr4, POSIX.1-2001.  POSIX.1-2008 marks ulimit() as obsolete.

SEE ALSO
       bash(1), getrlimit(2), setrlimit(2), sysconf(3)

COLOPHON
       This page is part of release 5.05 of the Linux man-pages project.  A description of the project, information  about  reporting
       bugs, and the latest version of this page, can be found at https://www.kernel.org/doc/man-pages/.

上面这个是ulimit函数的,而不是shell中这个指令的,所以没啥用

CentOS

这个没有,所以我就不粘结了

ulimit --help

ulimit: ulimit [-SHabcdefiklmnpqrstuvxPT] [limit]
    Modify shell resource limits.
    
    Provides control over the resources available to the shell and processes
    it creates, on systems that allow such control.
    
    Options:
      -S	use the `soft' resource limit
      -H	use the `hard' resource limit
      -a	all current limits are reported
      -b	the socket buffer size
      -c	the maximum size of core files created
      -d	the maximum size of a process's data segment
      -e	the maximum scheduling priority (`nice')
      -f	the maximum size of files written by the shell and its children
      -i	the maximum number of pending signals
      -k	the maximum number of kqueues allocated for this process
      -l	the maximum size a process may lock into memory
      -m	the maximum resident set size
      -n	the maximum number of open file descriptors
      -p	the pipe buffer size
      -q	the maximum number of bytes in POSIX message queues
      -r	the maximum real-time scheduling priority
      -s	the maximum stack size
      -t	the maximum amount of cpu time in seconds
      -u	the maximum number of user processes
      -v	the size of virtual memory
      -x	the maximum number of file locks
      -P	the maximum number of pseudoterminals
      -T	the maximum number of threads
    
    Not all options are available on all platforms.
    
    If LIMIT is given, it is the new value of the specified resource; the
    special LIMIT values `soft', `hard', and `unlimited' stand for the
    current soft limit, the current hard limit, and no limit, respectively.
    Otherwise, the current value of the specified resource is printed.  If
    no option is given, then -f is assumed.
    
    Values are in 1024-byte increments, except for -t, which is in seconds,
    -p, which is in increments of 512 bytes, and -u, which is an unscaled
    number of processes.
    
    Exit Status:
    Returns success unless an invalid option is supplied or an error occurs.

同样,这个指令在Ubuntu下执行有详细输出,而Centos下为非法指令

参数	参数说明
-H	设置硬资源限制.
-S	设置软资源限制.
-a	显示当前所有的资源限制.
-c size	设置core文件的最大值.单位:blocks，默认0
-d size	设置数据段的最大值.单位:kbytes，默认unlimited
-e	调度优先级，一般根据nice设置，默认0
-f size	设置创建文件的最大值.单位:blocks，默认unlimited
-i	待定信号值，默认3766
-l size	设置在内存中锁定进程的最大值.单位:kbytes，默认64
-m size	设置可以使用的常驻内存的最大值.单位:kbytes，默认unlimited
-n size	设置内核可以同时打开的文件描述符的最大值，默认1024
-p size	设置管道缓冲区的最大值.单位:kbytes，默认8
-q	可以创建使用POSIX消息队列的最大值,单位为bytes，默认819200
-r	限制程序实时优先级的范围,只针对普通用户，默认值0
-s size	设置堆栈的最大值.单位:kbytes，默认8192
-t size	设置CPU使用时间的最大上限.单位:seconds，默认unlimited
-u <程序数目>	用户最多可开启的程序数目，默认3766
-v size	设置虚拟内存的最大值.单位:kbytes，默认unlimited
-x	锁定文件大小限制，默认unlimited，默认unlimited

详细的解释也可以参考网上的资料https://wiki.archlinux.org/title/Limits.conf
至于hard和soft的含义，一个是只能superuser修改，一个是普通用户修改。参见https://man.archlinux.org/man/limits.conf.5
另外按照上面的man说明也提到了setrlimit，也可以看看setrlimit的详细说明。简单来说就是hard是无法超过的，而达到soft时会收到一些SIGN

/etc/security/limits.conf

上面那个命令会读取**/etc/security/limits.conf**
一般来说文件如下

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - a user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#        - NOTE: group and wildcard limits are not applied to root.
#          To apply a limit to the root user, <domain> must be
#          the literal username root.
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open file descriptors
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#        - chroot - change root to directory (Debian-specific)
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#root            hard    core            100000
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

# End of file

这里介绍下参数含义

参数	说明
domain	是指生效实体
user	用户名
@group	指定用户组
*	表示默认值
type	指限制类型
soft 软限制
hard	硬限制
item	限制资源
core	同ulimit -c
data	同ulimit -d
fsize	同ulimit -f
memloc	同ulimit -l
nofile	同ulimit -n
stack	同ulimit -s
cpu	同ulimit -t
nproc	同ulimit -u
maxlogins	指定用户可以同时登陆的数量
maxsyslogins	系统可以同时登陆的用户数
priority	用户进程运行的优先级
locks	用户可以锁定的文件最大值
sigpengding	同ulimit -i
msgqueue	同ulimit -q

另外按照arch linux的文档，还有个nice参数用于设定优先级，-20优先级最高，19优先级最低。如果为了确保superuser能排查问题可以给root -20

在Kubernetes中应用

ulimit -SHn 65535 && \
echo '
* soft nofile 655360
* hard nofile 131072
* soft nproc 655350
* hard nproc 655350
* seft memlock unlimited
* hard memlock unlimited
'>>/etc/security/limits.conf

另外按照这里的说法nofile也不能设置的太大，需要用more /proc/sys/fs/file-nr看下。不过我试了下，file-nr里面的默认值是很大的，不会超。